HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1)

Transcription

1 2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office Practicum General Session

2 Learning Objectives Understand what HIPAA and Patient Safety have to do with my practice Identify resources that I can use for my practice Identify 3 areas where I can improve security and safety for my practice

3 Disclaimer

4 HIPAA HIPAA Privacy Rule HIPAA Security Rule HIPAA Breach Notification Rule Patient Safety Rule

5 Who does this affect? ALL medical practices NOT just those who participate in Meaningful Use or Medical Home

6 HIPAA Privacy Rule Major goal: HIPAA Privacy is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being Administrative Requirements: a covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule

7 HIPAA Privacy Rule Let s take a closer look

8 HIPAA Privacy Rule Establishes national standards Protect individual s medical records and other personal health information (PHI) Applies to health plans, healthcare clearinghouses, health care providers

9 HIPAA Privacy Mandates Practices Have in place safeguards to protect the privacy of PHI Set limits on use and disclosure of PHI without specific patient authorization Recognize patients have rights over their PHI including: A right to examine and receive a copy of their health record A right to request correction of their health record information

10 Provider Notice of Privacy Policies Provide notice no later than the first date of service (except in emergencies) Make a good faith effort to obtain written acknowledgement of receipt of the notice & if unable document why Make the most recent notice (one that reflects any changes in policies) available for individuals to request and take with them

11 Sample/Model HIPAA Privacy Policies HHS Sample Policies in English & Spanish HIPAA Resources from AAFP Kressly Pediatrics HIPAA Policy (feel free to adapt for your practice)

12 HIPAA Policy Question 1 Q. Do we have to update our HIPAA policy annually? A. No. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices.

13 HIPAA Policy Question 2 Q. Do we have to get annual or periodic signatures from patients/families? A. No. Only to acknowledge the original receipt of the HIPAA policy

14 HIPAA Policy Question 3 Q. Is our practice required to notify patients via mail or of any changes to our policy? A. No. If you make a change to your policy, you must make the new policy available to your patients, post it in a clear & prominent location in your facility and on your website if you have one.

15 HIPAA Privacy Question 1 Q. Can an 18 year old sister pick up forms or a prescription for her younger brother? A. Yes. The practice may share relevant information with the family & other persons if it can reasonably infer, based on professional judgment, that the patient does not object.

16

17 HIPAA Privacy Question 2 Q. What can I do for other offices/health systems who refuse to send me information without expressed written consent from the patient? A. Consider creating a fax form requesting information with HIPAA references at the bottom

18 HIPAA Security Rule Goal: The Security Standards for the Protection of Electronic Protected Health Information establish a national set of security standards for protecting certain health information that is held or transferred in electronic form Administrative Requirements: a covered entity must adopt reasonable & appropriate policies and procedures to comply with the provisions of the Security Rule

19 HIPAA Security Resources Information Security Policy Template Security Audit Template Tool for Small Practices Cybersecurity Best Practice Checklist Regional Extension Center Resources State Medical Society Resources

20

21 HIPAA Security Question 1 Q. Must our practice certify our compliance with the standards of the Security Rule? A. No. There is no standard or certification requirements. An organization can decide on whether to use external third parties to perform security assessments but that does not absolve practices from meeting their legal requirements.

22 HIPAA Security Question 2 Q. Once we have completed a security risk assessment, are we finished? A. No. Compliance is not a one-time goal but an ongoing process. In general, this includes performing a risk analysis; implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation.

23 HIPAA Security Question 3 Q. Does security only take into consideration our computer access to our EHR? A. No. Practices should examine physical security safeguards such as unlocked back doors, policies regarding access for terminated employees, visible access to large monitors in a high patient traffic area, etc.

24 HIPAA Breach Notification Rule The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates (BA) to provide notification following a breach of unsecured protected health information Requirements: following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, & in certain circumstances, to the media

25 Breach Notification Requirements Individual Notification Must occur within 60 days of discovery of breach Must occur via first class mail unless prior agreement that patient agrees to notification If >500 patients involved in a state/jurisdiction, required to provide notice to prominent media outlets serving the area

26 HIPAA Breach Question 1 Q. Do I have to report all accidental discovery of any HPI to the HHS secretary? A. No. However, any impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

27 Factors to Consider in Defining Breach The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification The unauthorized person who used the protected health information or to whom the disclosure was made Whether the protected health information was actually acquired or viewed The extent to which the risk to the protected health information has been mitigated.

28 HIPAA Breach Question 2 Q. If there were only 3 patients affected in a HIPAA breach in my office, do I still have to report this somewhere? A. Yes. All breaches are to be submitted to the Secretary of HHS. Can be done annually for breaches affecting < 500 patients or at the time of occurrence (reporting tool on HHS website)

29 Patient Safety Rule The Patient Safety and Quality Improvement Act (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information to Patient Safety Organizations (PSOs)

30 HIPAA Enforcement Enforcement has been transferred to the Office for Civil Rights Enforces Privacy & Security Rules in several ways by investigating complaints filed with it conducting compliance reviews to determine if covered entities are in compliance performing education and outreach to foster compliance with the Rules' requirements

31 Should You Fear the HIPAA Police? HIPAA

32 No Fear Needed HIPAA is not meant to be punitive Most investigations lead to continued improvement Make HIPAA a Continuous Improvement Project in your practice Work to identify gaps and then address them Good Overview/Additional Information available at multiple places including Medical Economics

33 Best Practices Have a designated HIPAA Privacy & Security Officer with alternate (in case of vacation) Commit to ongoing HIPAA education for your office Maintain a folder of policies, procedures, business associate agreements, potential breach reporting templates, breach notification templates, etc. Review annually and discuss whether updates necessary

34

35 Questions?

36 We want your feedback!